Federal officials have released a final rule setting guidelines, including privacy and security provisions, for state insurance exchanges, called for under healthcare reform, which must begin operating by 2014.

The exchanges will provide consumers and smaller employers with an easier way to shop for insurance coverage from multiple health plans. The rule, revealed on the Federal Register Public Inspection Desk March 12, will be officially published in the Federal Register March 27.

Privacy, Security Provisions

Section 155.260 of the rule from the Department of Health and Human Services spells out privacy and security provisions. Among them are:

Personally identifiable health information should be protected with reasonable operational, administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.

Anyone who uses or discloses information in violation of the Affordable Care Act (healthcare reform) will be subject to a civil penalty of not more than $25,000 per person or entity, per use or disclosure, in addition to other penalties that may be prescribed by law.

Exchanges may only use or disclose personally identifiable information to the extent such information is necessary to carry out their narrowly defined functions, such as to determine eligibility for enrollment.

Individuals should be provided a reasonable opportunity to make informed decisions about the collection, use and disclosure of their personally identifiable health information.

Individuals should be provided with a simple and timely means to access and obtain their personally identifiable health information in a readable format.

About the Author

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;